Hackers claim breach of Resecurity, the company reports the exposed system was a honeypot

Resecurity, a US-based cybersecurity firm, was listed in a public breach claim by the Scattered Lapsus$ Hunters (SLH) group. The attackers posted screenshots on Telegram on January 3, 2026, claiming full access to internal systems, chats, and client lists. 

Resecurity countered that the attackers actually entered a honeypot environment designed to lure and monitor them.

The SLH group, which includes elements of Lapsus$ and Scattered Spider, allege they stole employee data and threat intelligence reports. They claimed the attack was revenge for Resecurity's attempts to infiltrate their group by posing as buyers for stolen databases. The hackers shared images of a Mattermost instance as proof of their success.

Resecurity's claims they detected the threat actor probing systems on November 21, 2025. Instead of blocking them, the firm exposed an isolated environment with synthetic data. This allowed the attackers to log in and interact with fake records while researchers logged their IP addresses and tactics.

Per Resecurity's report, the attackers stole over 218,000 records, including fake Stripe transactions and consumer data. Between December 12 and 24, the group made 188,000 automated requests using residential proxies. Proxy failures eventually exposed the attackers' real IP addresses, which Resecurity shared with law enforcement.